Netgear GS105Ev2 is a Gigabit switch with 5 ports targeting SMBs. The switch can be configured by a web application and a netgear configuration utility. The netgear configuration utility uses a proprietary protocol - the so-called Netgear Switch Discovery Protocol (NSDP) - to manage and configure switches. The configuration is protected by a password.

## Status/Metrics/Identifier

Status: unfixed

CVSS v2 Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVSS Score: 8.3

CVE-ID: n/A

The highest risk is represented by the authentication bypass. This is reflected by the score.

## Author/Credits

Benedikt Westermann (TÜV Rheinland i-sec GmbH)

## Authentication bypass in NSDP

The implementation of the NSDP on the GS105Ev2 (and possibly also other switches) is flawed. An attacker with access to the broadcast domain of the switch can bypass
the authentication process. This allows the attacker to gain full control of the switch, i.e., he can modify a particular configuration or flash another firmware to the
the switch.

### Detailed Description of the Vulnerability

The NSDP is a simple stateless protocol. It consists of a header, a trailer, and a body consisting of an array of type-length-value triplets.

Hereby, the following part is of importance:
94:00:00:00:00:09:00:04:3a:11:14:06

The TLV 94:00:00:00 indicates a packet of type 94 with no payload. This followed by the TLV 00:09:00:04:3a:11:14:06. 0x0009 is the type "password change", 0x0004 is
the length of the password, and 3a:11:14:06 is the "encrypted" password that is about to be set. The "encryption" of the password is done by XORing the password with
the string "NtgrSmartSwitchRock". If the password is longer than the secret, the secret is used again.

In case, the password has successfully be set, the switch replies with the following message:
01:04:00:00:00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:00:00:00:78:
4e:53:44:50:00:00:00:00

If the password is not changed, reboot the switch as this little bash script does not regard the SEQ number.

It should be noted that the authentication bypass is not limited to the "set password" function. Other write functions are also affected by this vulnerability.

Please note that the "encryption" scheme for the password is broken. The encryption string can easily be recovered by a simple XOR operation on a known password (NtgrSmartSwitchRock). Moreover, the Netgear Configuration Utility broadcasts the password to the network. Thus, an attacker within the broadcast domain can eavesdrop and decode the password. This fact was already noted in [Security by Obscurity bei Netgear Switches].

Moreover, the backup file of the configuration stores the password in plain, when the web interface is used to create the configuration (fixed with 1.4.0.2). The password, secretPass, is stored in plaintext in the configuration file:

Another issue is represented by the session ID which seems to be predictable and related to uptime of the switch. After the first login within a minute after power-on, the following session id is set by the switch. For each new login request, the switch was disconnected from the power supply and reconnected. After some time, the ID changes again.